b'        INSPECTOR GENERAL\n\n                                                                 IG-U-042\n\n\n\n\n        UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                                  WASHINGTON, D.C. 20436\n\n\n\nSeptember 25, 1997\n\nMEMORANDUM\n\nTO:           Director, Office of Information Services\n\nFROM:         Inspector   Gener~/Z~\'H~\nSUBJECT:      Inspection Report No. 04-97: Vulnerability Assessment of the Commission\'s\n              Automated Information Systems\n\nWe initiated this inspection in August 1997 as a follow-up to the findings and\nrecommendations made in Audit Report No. IG-01-96, Audit of the USITC Local Area\nNetwork Operations. That report identified weaknesses in the adequacy of the\nCommission\'s Local Area Network (LAN) security.\n\nOur objective was to assess the potential vulnerability of Commission automated\ninformation systems to unauthorized access from external sites. We found that, within the\nlimited parameters of this assessment, we were unable to obtain unauthorized access to\nthe Commission\'s internal network through either the publicly accessible Internet gateway\nor telephone connections. However, certain vulnerabilities were identified that could\npotentially be exploited to obtain such access. The results of our inspection are\nsummarized below and presented in entirety in the vulnerability assessment transmitted\nwith this memorandum.\n\nBackground and Scope\n\nSince 1988, the Commission has invested substantial resources to automate agency\nfunctions and implement a LAN. As of September 1997, the Commission\'s LAN consisted\nof 11 file servers running Banyan Vines 5.5; several special application servers, such as for\nfacsimile messages; and approximately 400 personal computers as work stations. The\nLAN supports a variety of office automation functions, including word processing,\nelectronic mail, spreadsheets and end-user database applications. The system contains\nunclassified as well as sensitive information, such as confidential business information.\n\nThe Office of Inspector General (DIG) contracted with the Computer Sciences Corporation\n(CSC) to conduct a limited vulnerability assessment of the Commission\'s LAN. The\n\x0cfieldwork was done from August 29 through September 2, 1997. CSC assessed the\nvulnerability of the Commission firewall and surrounding computer components. CSC also\nperformed a "wardialinq" exercise against the Commission\'s telephone system to identify\nweaknesses in access to the system through modems. These tasks were performed from\nthe CSC Commercial Laboratory site in Maryland using CSC proprietary and freeware tools.\nThe DIG provided CSC with the Commission\'s Internet Protocol addresses, the make of it\'s\nfirewall, and the range of telephone numbers assigned to the Commission. This\ninformation was obtainable by CSC through other means, but for the sake of economy was\nprovided by the DIG.\n\nSummary of Results\n\nCSC\'s scan of the Commission\'s network identified seven hosts that linked the\nCommission\'s automated systems with the Internet. A host is any machine with an\nInternet address; hosts that are linked to a system provide a potential entry point. The\nseven hosts identified were outside the firewall. CSC was unable to penetrate into the\nCommission\'s internal network through the firewall. However, CSC did identify six\npotential vulnerabilities surrounding the host machines.\n\nThe vulnerabilities provide no direct access route to the Commission\'s internal system,\nalthough given the present state of the hosts and with a sufficient amount of time, an\nintruder could probably obtain some form of unauthorized access, which is undoubtedly\ntrue of any computer systems. According to DIS, the most serious threat would be\nmutilation of the Commission\'s external Internet website and possible denial of access to\nthe Internet for Commission staff.\n\nIn the second phase of the vulnerability assessment, CSC attempted to access\nCommission automated information systems through modems attached to various servers.\nCSC identified 65 modems within the range of numbers we provided; 51 of these were\nlater found to be numbers no longer belonging to the Commission. The 14 lines belonged\nto DIS or other offices, indicating that staff appear to be complying with Commission\npolicy prohibiting individual dial-in connections.\n\nAll of the modems were called back, and five of the fourteen Commission modems offered\na connection to login prompts. All five of these connections were to DIS-managed devices\nwhich were specifically provided to allow staff dial-in access to Commission resources.\nCSC made a very limited attempt to log on to the system by trying carriage returns and\nsome commonly used passwords, but was unsuccessful. A more serious effort to gain\naccess via the modems may have been successful.\n\nSuggestions\n\nWe suggest that the Director of Information Services implement the recommendations\nmade on pages 4 and 5 of the vulnerability assessment report in order to more fully secure\nthe Commission\'s automated information systems.\n\nThe Director of DIS agreed to implement the recommendations in the report even though\nthe vulnerabilities do not constitute a significant threat. We agree with DIS that the\nquality of the systems put in place to secure agency resources is such that implementing\nthe recommendations will improve security, but not substantially.\n\n                                              2\n\x0cThe above procedures constitute an inspection made in accordance with the President\'s\nCouncil on Integrity and Efficiency Standards for Inspections.\n\nIf you have any questions, please contact me on 205-2210.\n\ncc: Commission\n\n\n\n\n                                            3\n\x0cInternational Trade Commission\nVulnerability Assessment Report\n\n\n\n           September 8, 1997\n\n\n\n\n      Computer Sciences Corporation\n       Systems Engineering Division\n        Technology Focus Center\n         7459 Candlewood Road\n           Hanover, MD 21076\n\n\n\n\n        FOR OFFICIAL USE ONLY\n\x0c                                                           Table of Contents\n\n10VERVIEW                                                                                                                                        1\n\n2 TOOLS                                                                                                                                          1\n\n  2.1 Hydra \xe2\x80\xa2...............\xe2\x80\xa2..................................\xe2\x80\xa2............................................\xe2\x80\xa2.....\xe2\x80\xa2.\xe2\x80\xa2.....................\xe2\x80\xa2....... 1\n  2.2 Strobe.....................................................\xe2\x80\xa2...\xe2\x80\xa2....\xe2\x80\xa2......................................\xe2\x80\xa2............................... 1\n  2.3 Whois\xe2\x80\xa2.....................................................................................................\xe2\x80\xa2............................... 1\n  2.4 Traceroute .....................................................................................\xe2\x80\xa2........................................ 1\n  2.5 NSLookup..........................................................................................................\xe2\x80\xa2.................... 2\n  2.6 Samba...\xe2\x80\xa2........................................................................................\xe2\x80\xa2.........................................2\n  2.7 Netscape ..\xe2\x80\xa2..\xe2\x80\xa2..........\xe2\x80\xa2......................................................................\xe2\x80\xa2...............................\xe2\x80\xa2........ 2\n  2.8 Toneloc.....\xe2\x80\xa2\xe2\x80\xa2......\xe2\x80\xa2.....\xe2\x80\xa2...................................\xe2\x80\xa2....\xe2\x80\xa2.............................\xe2\x80\xa2....\xe2\x80\xa2..............................\xe2\x80\xa2.... 2\n\n3 METHODOLOGY                                                                                                                                     2\n\n\n4 RESULTS\n                  ________________________________3\n\n  4.1 Network Scan Summary........................................................\xe2\x80\xa2......\xe2\x80\xa2...................................\xe2\x80\xa2.... 3\n  4.2 Network Scan Vulnerability Descriptions and Recommendations                                                                                 4\n       4.2.1 Services Accessible from the Internet                                                                                                4\n       4.2.2 VRFY Command Allowed                                                                                                                 4\n       4.2.3 NT Guest Account Enabled with NULL Password                                                                                          4\n       4.2.4 Vulnerable CGI Scripts                                                                                                               5\n       4.2.5 Finger Services                                                                                                                      5\n       4.2.6 Publicly Accessible News Server                                                                                                      5\n  4.3 Wardialing .\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2.\xe2\x80\xa2.\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2.\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2....\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2....\xe2\x80\xa2\xe2\x80\xa2.\xe2\x80\xa2\xe2\x80\xa2...\xe2\x80\xa2..\xe2\x80\xa2..\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2.\xe2\x80\xa2\xe2\x80\xa2.\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2...\xe2\x80\xa2..\xe2\x80\xa2..\xe2\x80\xa2..\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2..\xe2\x80\xa2\xe2\x80\xa2..\xe2\x80\xa2\xe2\x80\xa2.\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2.\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2.\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2..\xe2\x80\xa2.\xe2\x80\xa2.\xe2\x80\xa2......\xe2\x80\xa2\xe2\x80\xa2....\xe2\x80\xa2.. 5\n\n5 SUMMARY                                                                                                                                         6\n\n\n\n\n                                                         FOR OFFICIAL USE ONLY\n                                                                   i\n\x0cAPPENDIX A: HYDRA OUTPUT                                                   7\nAPPENDIX B: FIREWALL STROBE OUTPUT                                         11\nAPPENDIX C: MODEMS/CARRIERS FOUND                                          12\nAPPENDIX D: REMOTE NT DIAGNOSTICS OUTPUT                                   14\nAPPENDIX E: "NPH-TEST-CGI" CGI EXPLOIT OUTPUT (LISTING HOME DIRECTORIES)   23\n\n\n\n\n                               FOR OFFICIAL USE ONL Y\n                                         ii\n\x0c1     OVERVIEW\n      This document describes the vulnerability assessment conducted by Computer Sciences\n      Corporation (CSC) for the International Trade Commission (ITC), involving the lTC\'s firewall\n      and surrounding computer components. CSC also performed a "wardialing" assessment\n      against the ITC telephone system, The task was performed from the CSC Commercial\n      Laboratory in Hanover, MD, using CSC proprietary and freeware tools.\n\n\n\n2     TOOLS\n\n2.1   Hydra\n      Hydra is a esc proprietary software tool that is made up of several different programs, each\n      of which performs a particular scanning or penetration task. The core programs are listed\n      below:\n      \xe2\x80\xa2 Subscan - scans a range of IP address, and reports all existing devices, including hosts,\n          routers, printers, and terminal servers.\n      \xe2\x80\xa2 Probe - checks devices discovered by Subscan for network vulnerabilities that lead to\n          unauthorized access on the device.\n      \xe2\x80\xa2 Analysis - generates detailed vulnerability reports, using databases created by Subscan\n          and Probe.                                                    ~\n\n\n\n2.2   Strobe\n      This tool scans a host for all activeTCP ports from 1 to 65535. It can provide information\n      about what services are being offered by the host.\n\n\n2.3   Whois\n      This is an information service available on the Internetthat provides information about\n      companies and domains that exist on the Internet. This information usually provides a list of\n      DNS servers that the particular company or domain is served by.\n\n\n2.4 Traceroute\n      Traceroute is used to discover the network path from one host to another. It does this be\n      having each host in the path return information back to the originating host, which gathers the\n      information and displays it in a table showing IP addresses, host names, and response times.\n\n\n\n\n                                       FOR OFFICIAL USE ONL Y\n                                                 1\n\x0c2.5   NSLookup\n      NSLookup is a standard Unixtool usedto send host name queries to arbitrary Domain Name\n      Service (DNS) servers. Provided that a server is not restricting accessto information,\n      NSLookup can gathera list of all host names and their corresponding IP addresses within a\n      particular DNS domain.\n\n\n2.6   Samba\n      Samba is a set of tools allowing access to Microsoft Network share resources. This tool can\n      be used to read from or write to shared Windows NT file directories from a Unix platform.\n\n2.7   Netscape\n      Netscape is a World Wide Web (WWW) browsing client, and is used to examine WWW\n      servers for vulnerabilities, including exploitable CGI scripts.\n\n\n2.8   Toneloc\n      Toneloc is a wardialer used to dial a large quantity of phone numbers in an attempt to\n      discover modems.. The wardialing process involves the use of Toneloc, an automated\n      software tool which uses the phone range parameters to dial all numbers in the designated\n      range in a random pattern to identify modems within that range.\n\n\n\n3     METHODOLOGY\n      CSC used Hydrato scan the Demilitarized Zone (DMZ) of the ITC Internetpresence. This\n      DMZ includes the premise router (that connects ITCto the Internet Service Provider), the\n      firewall protecting ITC internal networks, and all hosts located on the LAN segment between.\n      This LAN segment uses the 205.197.120 Class C IP subnet.\n\n      CSC used Whois, Traceroute, and NSLookup to gather information about the ITC network\n      connectivity to the Internet. This information can usually provide a starting point for attack and\n      penetration efforts. For example, the Whois utilitywill provide the name of the DNS server for\n      the ITC. NSLookup can then be usedto gathera list of publicly known ITC machines from the\n      DNS server, and Traceroute can be used to discover the networkpath to the ITC firewall.\n\n      Samba was used to attempt connections to any machines that were sharing out resources via\n      5MB (Microsoft Network). It was usedto test account availability on NT machines, and to\n      gatherNT Domain information about the machines. Strobe was used to gather a list of all\n      active Tep ports on the firewall.\n\n      Toneloc was used for the \'wardialing"analysis to dial all of the ITC phone numbers. The\n      range of numbers are within the 202-205-xxxx range, and include 1800-2253, 2300-2399,\n      2501-2599,2602-2699,2701-2799,3101-3399, and 3402-3499\n\n\n\n\n                                        FOR OFFICIAL USE ONL Y\n                                                  2\n\x0c4     RESULTS\n\n4.1   Network Scan Summary\n      The Hydra scan of the 205.197.120 subnet identified seven hosts. The one host that it did not\n      identify, however, was the firewall. Though Hydrawas able to see that the firewall was\n      present, it was not able to run its normal scans against it. CSC used the Strobetool to probe\n      the firewall for activeTCP ports. These portswere tested using a variety of adhoc methods,\n      but any attempts at exploiting the firewall\'s services were unsuccessful. The table below\n      indicates the potential vulnerabilities discovered on the other seven hosts, followed by\n      descriptions of those vulnerabilities. Vulnerabilities within DMZ hosts can often lead to\n      unauthorized access through a firewall, usually due to trust relationships between the firewall\n      and the DMZ hosts.\n\n                   Host Description                               Vulnerabilities\n              205.197.120.1, probable              Telnet and Finger services are accessible\n              Cisco router                         from the Internet, and NetBIOS\n                                                   connections are allowed from the Internet.\n              205.197.120.3                        The SMTP service supports the VRFY\n              (net1.usitc.gov)                     command.\n              as = unknown\n              (seems to also go by\n              net2.usitc.aov)\n              205.197.120.5 (Errorl                The "guest" account seems to be enabled\n              Reference source not                 with a NULLpassword, allowing the two\n              found.)                              shared resources "columbia" and "heaven"\n              as = Windows NT 3.51                 to be mapped remotely. The Event Log\n              Windows name = ITC-                  and Diagnostics may also be viewed\n              WEB                                  remotely as well.\n              Windows domain =\n              WEBSERVER\n              205.197.120.17                       No vulnerabilities found.\n              as = Windows NT 4.0\n              Windows name = ITCDB\n              Windows domain =\n              WORKGROUP\n              205.197.120.37                       A number of CGI scripts, available through\n              (beardog.usitc.gov)                  the WWW server application, have\n              as = SunOS 4.1.x                     vulnerabilities allowing remote browsing of\n              (running NCSA v1.5.1                 the file system (but not the contentof\n              WWW Server)                          actual files). The SMTP service supports\n                                                   the VRFY command, and Finger services\n                                                   are available.\n\n\n\n\n                                        FOR OFFICIAL USE ONL Y\n                                                  3\n\x0c              205.197.120.86                         The SMTP service supportsthe VRFY\n              (news.usitc.gov)                       command. The News services allow\n              as = Windows NT 4.0                    connections and transactions from the\n              Windows name = NEWS                    Internet.\n              Windows domain =\n              WORKGROUP\n              (running Netscape Mail\n              Server v2.0)\n              205.197.120.222                        No vulnerabilities found.\n              as = Windows NT 3.51\n              Windows name =\n              FIRSTSERVER\n              Windows domain = OIS\n\n\n4.2   Network Scan Vulnerability Descriptions and Recommendations\n\n4.2.1 Services Accessible from the Internet\n      A majorityof the machines within the DMZ are directly accessible from the Internet. The\n      router between the DMZand the Internet Service Provider does no filtering of incoming\n      connections.\n\n      It is typically a good idea to have a premise router filterany unwanted connections before they\n      reach the DMZ. If there is no needto allow incoming NetBIOS connections, that service\n      should be disallowed at the router. Any other services not needing to be accessed from the\n      Internet should be blocked as well (such as Finger and News).\n\n\n4.2.2 VRFY Command Allowed\n      The SMTP VRFY command allows remote users to query a mail host for valid mail account\n      names. This can often be used to confirm or gathera list of potential target accounts on a\n      machine.\n\n      If the SMTP server software permits, the VRFY command should be disabled.\n\n\n4.2.3 NT Guest Account Enabled with NULL Password\n      Since the "guesf\' account is a default account created during the initial installation of NT, it is\n      often a target account for attacks. Someimplementations of NT, however, require the "guesf\'\n      account to exist and be enabled in order for certain services (such as WWW and FTP) to\n      work properly. However, the "guesf\' account can be usedthrough the NetBIOS protocol to\n      gather information aboutthe server, such as beingable to browse through the Event Logs or\n      the Diagnostics output.\n\n      Whenever possible, the "guesf\' account should be disabled, or given a password. In cases\n      where the accountcan\'t be disabled, the premise router should block NetBIOS connections to\n      the particular server that has the "guesf\' account.\n\n                                         FOR OFFICIAL USE ONLY\n                                                   4\n\x0c4.2.4 Vulnerable CGI Scripts\n      A number of the sample CGI programs distributed with the NCSA 1.5.1 WWW Server\n      application contain vulnerabilities that allow attackers to obtain directory listings of any\n      directory within the server\'s file system. These CGI proqrams include"est-egi" and "nph-test-\n      cgi".\n\n      Any CGI programs not needed should be deleted, and patches applied to thosethat are\n      needed.\n\n\n4.2.5 Finger Services\n      Finger is a servicethat allows remote usersto gather information about accounts on a system.\n      Information about the account, such as the home directory, default shell, owner, and last login\n      time and origin may be obtained. This information can be used to gather information about\n      the accounts on a system, and provide starting information for an attack.\n\n      The Finger service should be disabled from all DMZ machines.\n\n\n4.2.8 Publicly Accessible News Server\n      The News server in the DMZallows remote (non ITC) clients to connect and download (and\n      possibly upload) articles from the server. Any ITC information on the server would be\n      available to the Internet.\n\n      The server should be configured to only allow connections from designated Internet hosts.\n      Typically, only the main news feed site is allowed access from the Internet.\n\n\n4.3   Wardialing\n      The following table indicates the wardialing statistics gathered during the dialing vulnerability\n      assessment.\n\n                                                            Total                   Percent of Total\n              Numbers Dialed                                1247                                 N/A\n              Busy                                           66                               5.290/0\n              Voice                                         485                              38.890/0\n              RingOut (max rings = 7)                       383                              30.710/0\n              Timeout (waittime 60                          248                              19.89%\n              sec)\n              Carriers Detected                              65                               5.21%\n\n      All of the carriers found were called back, with the intentto exploitthe remote answering host.\n      During the dial backs, esc was unable to exploit any of the carriers, but there was very little\n      time available to work this potential area.. A number of the carriers found appeared to be\n      Point-ta-Point dial-up servers, and NT Remote Access Servers (RAS).\n\n\n                                         FOR OFFICIAL USE ONLY\n                                                   5\n\x0c5   SUMMARY\n    CSC was unable to penetrate into the ITC internal network through the firewall. Though a\n    number of the hosts within the DMZ had vulnerabilities that CSC could exploit, noneof those\n    exploits resulted in privileged control of the machines. Given the present state of the hosts on\n    the DMZ, and with a sufficient amount of time, it is probable that some form of access could\n    be achieved. With that access, and intruderwould be able to set up a remote network packet\n    sniffing program to gather information being passed between the ITC internal network and the\n    Internet. It is therefore important that the DMZ hosts be secured.\n\n    CSC\'swardialing effortturned up a numberof modems attached to various servers that could\n    potentially be exploited. A handful of carriers offered connection to login prompts. However,\n    CSC was unable to guess any of the passwords or account named that would give access to\n    the remote host.\n\n\n\n\n                                      FOR OFFICIAL USE ONL Y\n                                                6\n\x0c'